1. Technical Field
The present invention relates in general to distributed computing environments (DCE) and in particular to security of DCEs. Still more particularly, the present invention relates to a method and system for checking the health of the security of a DCE.
2. Description of the Related Art
Computer networks are well known in the arts and continue to grow in both size and complexity. This growth is fueled by more computers being connected to networks and connecting networks to other networks. These connections enable computers to work together efficiently, and to simplify sharing resources such as files, applications, printers, and even special computers.
The Open Systems Foundations (“OSF”) Group developed the Distributed Computing Environment (“DCE”). DCE transforms a group of networked computers into a single, coherent computing engine. DCE masks differences among different kinds of computers, thereby enabling users to develop and execute distributed applications that can tap into a network's latent power, using widespread resources such as storage devices, CPU's, and memory. The distributed parts of these application can execute concurrently, and thus, they are much more powerful than single processor applications that act on data sequentially.
The Distributed Computing Environment (DCE) software provides an enormous opportunity to transform a group of networked computers into a single, coherent computing engine. As a layer of software that masks the differences among different kinds of computers, DCE enables a user to develop and execute distributed applications that can tap into a network's latent power, using widespread resources such as storage devices, CPUs, and memory. Because distributed parts of these applications can execute concurrently, they can be much more powerful than single-processor application that must act on data sequentially.
With a standard network (i.e., non-DCE), the applications are executed on the individual machine or a local server host. Typically, each user must first provide his or her identity by using a secret password to log onto the local host. The local host uses the password, which is known only to the user and the local host, as proof that the user is who he or she claims to be. Once the user logs onto the local host, the host resources are usually protected further by means of permissions or privileges associated with each file. The permissions regulate whether a user can read, write or execute that file. The number of users on a single local host is typically small enough so that the host alone can manage all of the passwords and permission functions.
A distributed computing environment, on the other hand, might support thousand of users accessing files on any of hundreds or thousands of local hosts in the environment. Because it is impractical to maintain every DCE user's security information on every host in the environment, DCE serves security information from a centralized database. This database, along with a distributed set of daemons and libraries, compose the DCE security service.
Many kinds of computers use a variety of measure to protect resources such as files and applications from unauthorized access. When servers enforce the security, each client must provide its user's identity and access rights. These are provided on the first remote procedure call (RPC), and sometimes in highly secure environment, on every RPC call. Because access to every DCE resource—directories, files, printers, and so on—is controlled by a server, the server's typically require comprehensive network security for authentication and authorization.
A cell is the basic unit of operation and administration in DCE. A cell is a group of users, systems, and resources that typically have a common purpose and share common DCE Services. At a minimum, the cell configuration includes the Cell Directory Service, the Security Service, and the Time Service.
The DCE Security Service has been utilized to authenticate all DCE users and servers, making certain that people and programs using DCE are who they claim to be. Furthermore, resource administrators can protect distributed resources from unauthorized access using the authorization capabilities of the DCE Security Service.
In an authenticated environment, users and servers, known as principals, must prove their identities before being allowed to accomplish a task. This proof is in the form of a special kind of password. When a user enters a password at login, an authentication server verifies it against the data stored for that user in the authentication database. Principals within a cell share a common authentication server and database. If the security of a cell's authentication server is compromised, all passwords in that cell must be changed because they can no longer be considered secure. The larger the cell, the more work it can be to repair the damage resulting from a breach of security.
In DCE, the security service, which is also known as a registry, serves a single source of security and manages information about users, groups, and the like. This gives a company a single place to define and manage users. One limitation to this approach is the propagation of passwords. Additionally, most security checks are performed manually by a system administrator. This tends to be rather time consuming and inefficient and susceptible to human error.
Unfortunately, distributed computing environments provide some security concerns particularly, how to protect data that must be shared among multiple users. Highly publicized network break-ins have alerted everyone to the vulnerability of distributed systems. Different kinds of networked computers use different security mechanisms that often do not operate together seamlessly or, more frequently, do not operate together at all. Such a patchwork of security mechanisms often leaves security holes that attract network snoopers and eavesdroppers.
When clients use servers in other cells, the cooperating cells must share a password. Thus a DCE environment with 5 cells that cooperate with each other cell must maintain 20 passwords for complete intercell operation. Each cell administrator maintains a separate account and password for the other 4 cells, exchanging replacement passwords with other cells' administrators when they expire or when the security of a cell's authentication server is compromised. This may not be a problem in DCE environments with 5, 10, or even 20 cells, but it may be a problem if 100 cells (sharing 9,801 passwords) must get new passwords.
The DCE software provides a secure environment for clients to conduct business and therefore it is immensely important to DCE and Distributed File Server (DFS) servers in the cell, to be security compliant.
Resources such as servers, directories, files, or even records in databases can have an associated access control list (ACL) that specifies which operations can be performed by which user. When a file or directory can be accessed by anyone, it is termed “world readable” or world writable.”
DCE components and applications can use different kinds of ACLs to protect their resources. The types of ACLs and their exact effects depend on how they are defined by the ACL manager for the specific component or application. If a user wishes to use ACLs to protect his application's resources, he must write his own ACL manager.
DCE provides a secure operating environment when in use (i.e, transporting packets over the network from one DCE client machine to another DCE client machine), therefore ensuring the actual DCE software installed on the AIX machine is secure is of utmost importance.
A DCE administrator manages aspects of a cells DCE security. This very manual and timely process must be performed by all DCE administrators and users who also are required to document the results manually.
The present invention appreciates the fact that it would be desirable to provide a method and system for automatically checking the security health of a DCE. It would further be desirable to be able to automatically correct problems with the security of a DCE.